Apple's iOS is vulnerable to web-based attacks that force third-party apps to make phone calls and carry out other sensitive operations without first warning the user, a security researcher has warned. Researcher Nitesh Dhanjani shows here how the planting of a simple iframe on a webpage can force the Safari browser to open …
Gives a new meaning to...
There's an app for that.
...it's starting to look like like smartphones are the new dumbphones.
And, what's this business about being "yanked out" of Safari?
Yanked out? Jerked off, more like.
Thanks, you've been wonderful. I'm here all week.
Can we have a no-iPhone/Pad/Pod-news-week on El Reg?
No doubt people are now busily working out how to exploit this and get it live, so people should be made aware.
Welcome back to the 90's and premium dialers all over again.
So long as we can have equivalent no Android, Symbian, Crackberry, (insert other random tech) weeks.
Whether people like it or not, the iPhone/Pad/Pod is a technical device and this is a technical matter being raised on a tech website.
You don't have to read an article if you don't want to - there are one or two other articles around here, otherwise, you could always go to www.disney.com.
I'm sure there's a Greasemonkey script for that! (tm) ;)
yeah but . . .
. . . what would happen to those who only come to comment on how the Reg is a huge advert for anything Mac? How would they vent thier spleen if the only outlet is blocked to them? What would the poor things do?
Think of the children ffs, you heartless bastard
Thanks for playing.
re: No iPhone Week
Are you saying that only simple-minded folk would ever buy an iPhone, and so coverage of the device has no place on a technical website?
When one heads to the comments there is just a clusterf*** between Apple-bashers and Apple-lovers instead of a reasoned discussion of the tech issues involved...
Steve's world; Steve's rules
"...Apple's security team told him the onus is on third-party app developers..."
I was under the impression the onus is never on third-party app developers? If Apple runs a restricted shop then Apple must take responsibility for all of it, not just the good bits.
An other surface of attack
Most of this smart devices use the PC as an aux for sync and else. Maybe one day we will learn that an iPlode can break OSX.
User has no
control over iPhone device.
How is this news?
Oh, get knotted Jobs!
"Apple's security team told him the onus is on third-party app developers to make their programs ask for permission before carrying out such actions"
You sold/passed the app through the wonderful Jobsian application filter that is supposed to weed out crud like this.
You passed it on, you carry the can Jobs!
"an annoying and jarring experience"
Such is the nature of warnings that something bad is about to happen. For instance, fire alarms don't emit gentle waves of birdsong, and it's ice cream vans that play twinkly versions of Greensleeves rather than ambulances.
Yet another undocumented Lemon 5 feature revealed. I am running out of fingers counting!
Increasingly people must question Apple's poor code verification as well as what they laughingly call :quality control".
Some of the faults should have been caught before Lemon 4 hit the stores. The pressure to deliver must have been great but as Ford proudly boasts: "Quality is Job 1".
Jobs' attitude that he and Apple are better than anyone (sic) invites criticism. If Jobs' spent less time sticking his prowess in the face of others, he might garner some sympathy.
He can spend untold hours fruitlessly (no pun intended) locking up his little toy but what's the point if it's so dysfunctional? The 'free calling' when locked and remote web site calling are major flaws that should have been caught months ago.
Even iPhans patience has limits, it's reaching the point of abuse now.
"As long as Skype is installed and it stores the victim's account password, the attack will work with no warning, he wrote."
Absolutely no warning, apart from you know - the Web page you are browsing disapearing and Skype launching instead and dialling a number.
The article makes it sound as if the dialling would happen sneakily in the background. I reckon having an application, that you installed launch right in your face and stop your browsing session might be a bit of a clue.
It's all very well giving Apps option 'switches' but they take knowledge to select
iPhans/fanbois are different from Android people as they are obviously very happy for Jobs' to make decisions for them and how they can use the new tethered (to Jobs) toys.
Android folk, as well as others, are more independent and, seemingly, more technical. They are used to making decisions.
If Apple offers App control panels to select services by users, this will be a sharp turn in the road - iPhans are simply not prepared for this operating change, it is a significant Apple psychological change that they may not be prepared to handle without careful thought being given to this sea-change.
"Android folk ... more technical ... used to making decisions"
Is it possible that next time you post you could include a little more blind prejudice, just so that when you claim to be all rational and technical there's something for us to point at while we're laughing.
The technical illteracy continues unabated.
This is an app URL. An App url will load the application which registers to handle the URL. For instance if you click on a web url in an email, the OS passes that specific URL to the app which handles a standard web URL - your default browser.
All OSes do this. Phone or not.
If you click an email URL in any text field the OS passes this to the email app.
Click on a location and the OS handles it by sending it to Maps, or whatever app registered to handle locations.
Click on a skype URL ( which would have skype somewhere in it's namespace) then skype gets the URL and handles it by calling the number. Which:
a) has nothing to do with the OS which passes on the url to the app registering for it. The rest of the URL is just a number.
b) Is a feature, not a bug. It is as expected. Click on a number and the OS will try and call it. You can possibly stop the call if your IQ was above 75.
Which excludes the first 16 commentators. This is not a security violation, all OSes do it, and the tin foil comicbookguy shut ins who hate everything Apple are not as smart as they think they are. I own smarter dogs.
My dog can't read, can yours?
Presumably you missed the bit about using an iFrame to automatically make the call, not requiring the user to click on anything. Perhaps your dogs could teach you to read thoroughly?
Certainly it's easy enough to cancel an unwanted call, but the point is that it should not be possible to initiate a call unbidden in the first place.
iFramed? Heh, an Apple friendly recapitalization for that age old exploit precursor...
No warning ?
I'd have thought the fact that safari disappears and skype appears in its place telling you it's currently dialling a number would probably be a pretty big clue.
Plus, hey ho boys and girls, that's not a bug, it's a feature. URL handling is working as designed, and much as you little bitches love to bash Apple, it IS the responsibility of the application to sanitise input and decide what to do with it. Always.
Another day, another example of a self aggrandising 'security researcher' misunderstanding practically everything except how to get his name in the news, and the same tired, ignorant reaction from the commentards.
Same old, same old.
And we complained about Microsoft..
making things too easy at the expense of sensible security!
Apple fanbois - surely even you can see this is not a good idea. Or perhaps you can't see out of your walled garden!
This is a Microsoft design...
The model of using the same set of helper application bindings for trusted and untrusted sources was originally a Microsoft design, and until 2004 was limited to Windows.
Cool! What's old is new again!
Remember the old Modem Redialer Attacks?
Make some money, make them call through some south sea island for fun and profit!
Call 900 numbers with exorbitant fees, or just plain cause embarrassment with all those Goat Lust calls...
The iPhone Eloi can tell you, "There's an app for that..."
What is the problem here actually? If anything it should be the Skype app handling the dialogue before just doing what another application tells it to do.
What's next week from this 'security analyst' that you can connect to a an ftp site? Or perhaps use nfs or afp or what ever URL link.
Sometimes a little bit of knowledge can make you look like a fool.
"You have clicked a link. Links may lead to different websites and/or services, which may be harmful. Do you want to proceed?"
"You clicked on 'Yes'. Clicking on affirmative buttons could cause an action you have requested to be actually executed. Are you sure you want to proceed?"
Splendid idea. Put this into iOS, then every Vista user will feel right at home.
Where do you want to go today?
It's not just iOS
I've been bitching about Apple's laissez-faire approach to helper applications since 2004. The fact that they're simply copying Microsoft's model is no excuse.